Amendments to the claims, 

Listing of all claims pursuant to 37 CFR 1.121(c) 

This listing of claims will replace all prior versions, and listings, of claims in the 
application: 

What is claimed is: 

1. (Currently amended) In a computer system, a method for protecting sensitive 
information, the method comprising: 

receiving input of sensitive information from a user; 

computing a data shadow of the sensitive information for storage in a repository^ 

and thereafter discarding the input so that the sensitive information itself is not stored : 
based on the data shadow stored in the repository, detecting any attempt to 

transmit the sensitive information; and 

blocking any detected attempt to transmit the sensitive information that is not 

authorized by the user. 

2. (Original) The method of claim 1, wherein said sensitive information 
comprises structured data. 

3. (Original) The method of claim 2, wherein said data shadow is computed for 
the structured data as a regular expression and a hash. 

4. (Original) The method of claim 3, wherein said hash comprises a MD-5 hash. 

5. (Original) The method of claim 2, wherein said structured data includes credit 
card number information. 

6. (Original) The method of claim 2, wherein said structured data includes Social 
Security number information. 

7. (Original) The method of claim 3, wherein said regular expression represents 
formatting information for said structured data. 
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8. (Original) The method of claim 3, wherein said hash is computed after 
normalization of the structured data. 

9. (Original) The method of claim 8, wherein said normalization includes 
removing any formatting information before computing the hash. 

10. (Original) The method of claim 1, wherein said sensitive information 
comprises structured data and said detecting step includes: 

initially detecting said structured data by matching a format for that structured 

data. 

11. (Original) The method of claim 1, wherein said sensitive information 
comprises literal data. 

12. (Original) The method of claim 1 1, wherein said data shadow is computed for 
the literal data as a length value plus at least one hash of the literal data. 

13. (Original) The method of claim 12, wherein said at least one hash includes an 
additional first pass hash or checksum value computed for the literal data. 

14. (Original) The method of claim 12, wherein said at least one hash includes a 
MD-5 hash computed for the literal data. 

15. (Original) The method of claim 1, wherein said at least one hash includes an 
optional checksum value computed for the literal data that allows relatively quick 
detection of the sensitive information and a MD-5 hash that allows subsequent 
verification. 

16. (Original) The method of claim 1, wherein said receiving input step includes: 
receiving input indicating a type for the sensitive information. 
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17. (Original) The method of claim 16, wherein said receiving input indicating a 
type includes: 

receiving input indicating that the sensitive information is a password. 

18. (Original) The method of claim 16, wherein said receiving input indicating a 
type includes: 

receiving input indicating that the sensitive information is a Social Security 
number. 

19. (Original) The method of claim 16, wherein said receiving input indicating a 
type includes: 

receiving input indicating that the sensitive information is a credit card number. 

20. (Original) The method of claim 16, wherein said receiving input indicating a 
type includes: 

receiving input indicating that the sensitive information is a personal 
identification number (PIN). 

21. (Original) The method of claim 1, further comprising: 
automatically determining a type for the sensitive information that indicates 

formatting. 

22. (Original) The method of claim 21, wherein said step of automatically 
determining a type includes: 

matching the input against a template for identifying a type. 

23. (Original) The method of claim 1, wherein said detecting step includes: 
trapping an outbound buffer of data that may contain the sensitive information; 

and 

in instances where the sensitive information comprises structured data, 

5 



performing a regular expression search on the outbound buffer. 

24. (Original) The method of claim 23, further comprising: 

if a regular expression match is found, normalizing data from the match so as to 
remove formatting and thereafter computing a hash on it, for comparison with 
corresponding hash values stored in the repository. 

25. (Original) The method of claim 24, wherein said hash is a MD-5 hash. 

26. (Original) The method of claim 1, wherein said detecting step includes: 
trapping an outbound buffer of data that may contain the sensitive information; 

and 

in instances where the sensitive information comprises literal data, performing a 
sliding window search on the outbound buffer. 

27. (Original) The method of claim 26, wherein said sliding window search 
includes performing an optional checksum calculation on successive blocks of bytes 
within the outbound buffer, for comparison with corresponding checksum values stored 
in the repository. 

28. (Original) The method of claim 27, further comprising: 

if a match is found based on the checksum comparison, verifying the match with a 
MD-5 hash performed on data from the match. 

29. (Original) The method of claim 28, wherein said MD-5 hash performed on 
data from the match is compared against a corresponding MD-5 hash value stored in the 
repository. 

30. (Original) The method of claim 1, wherein said step of blocking includes: 
referencing a stored policy indicating whether the sensitive information should be 

blocked from transmission. 
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3 1 . (Original) A computer-readable medium having processor-executable 
instructions for performing the method of claim 1. 

32. (Original) A downloadable set of processor-executable instructions for 

performing the method of claim 1 . 

33. (Currently amended) In a computer system, a method for securing sensitive 
items from inappropriate access, the method comprising: 

receiving input from a user indicating that a particular sensitive item is to be 
protected from inappropriate access; 

storing metadata characterizing the particular sensitive item , and thereafter 
discarding the input so that the particular sensitive item itself is not stored : 

based on the stored metadata, detecting whether the particular sensitive item is 
present in any transmission of outgoing data; and 

trapping any transmission of outgoing data that is detected to contain the 
particular sensitive item. 

34. (Original) The method of claim 33, further comprising: 

a policy indicating what action the system should be taken upon trapping 
transmission of outgoing data that contains the particular sensitive item. 

35. (Original) The method of claim 34, wherein said action includes blocking any 

trapped transmission. 

36. (Original) The method of claim 34, wherein said action includes querying the 
user about whether the particular sensitive item may be transmitted. 

37. (Original) The method of claim 33, wherein said metadata includes a one- 
way hash of the particular sensitive item. 



7 



38. (Original) The method of claim 37, wherein said one-way hash comprises a 
MD-5 hash. 

39. (Original) The method of claim 33, wherein said particular sensitive item 
comprises structured data, and wherein said metadata includes regular expression 
information characterizing a particular format for the structured data and includes a hash 
computed on unformatted data extracted from said structured data. 

40. (Original) The method of claim 39, wherein said trapping step includes: 
locating the particular sensitive item by first performing a regular expression 

search on the outgoing data for finding a match based on formatting; and 

for any match found based on formatting, performing a hash on the match to 
determine whether it matches a corresponding hash stored as part of the metadata. 

41 . (Original) The method of claim 33, wherein said particular sensitive item 
comprises literal data and wherein said metadata comprises as a length value plus at least 
one hash of the literal data. 

42. (Original) The method of claim 41, wherein said trapping step includes: 
locating the particular sensitive item by first performing a sliding window search 

through the outgoing data for a block of bytes having a size equal to said length value and 
having a hash value equal to one of said at least one hash of the literal data. 

43 . (Original) The method of claim 42, wherein said at least one hash includes a 
MD-5 message digest computation. 

44. (Original) The method of claim 43, wherein said at least one hash further 
includes an optional first pass hash or checksum as an optimization. 

45. (Original) A computer-readable medium having processor-executable 
instructions for performing the method of claim 33. 
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46. (Original) A downloadable set of processor-executable instructions for 
performing the method of claim 33. 

47. (Currently amended) A system providing security for sensitive information, 
the system comprising: 

a data processing system receiving input of sensitive information; 

a secure lockbox module for storing a secure descriptor characterizing the 
sensitive informatio n, so that the system can detect transmission of the sensitive 
information without a copy of the sensitive information itself being stored : and 

a security module for detecting, based on said secure descriptor, any attempted 
transmission of outgoing data that contains the sensitive information. 

48. (Original) The system of claim 47, wherein said input includes an indication 

of a type for the sensitive information. 

49. (Original) The system of claim 48, wherein said indication of a type includes 
a selected one of structured data and literal data. 

50. (Original) The system of claim 49, wherein said structured data includes a 
credit card number. 

51. (Original) The system of claim 47, further comprising: 

a security policy specifying what action is to be undertaken when the security 
module detects an attempt to transmit the sensitive information. 

52. (Original) The system of claim 51, wherein said security policy specifies an 
action of blocking any attempted transmission of the sensitive information. 

53. (Original) The system of claim 51, wherein said security policy specifies an 
action of prompting a user to allow or deny any attempted transmission of the sensitive 



9 



information. 

54. (Original) The system of claim 47, wherein said sensitive information 
includes structured data, and wherein said secure descriptor includes regular expression 
information characterizing a particular format for the structured data and includes a hash 
computed on unformatted data extracted from said structured data. 

55. (Original) The system of claim 47, wherein said sensitive information 
includes literal data and wherein said secure descriptor includes a length value plus at 
least one hash of the literal data. 
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